 Hey everyone welcome to my talk guerrilla red team to centralize the adversary. It's a project I've been working on for the past few months. I decided to write a white paper on it It's published actually today and The more and more I worked on the project the more I realized that it meant a lot to the people that were involved So I decided to talk about it. So without further ado, let's get in This is a brief overview of what this talk is going to cover. This is a Journey that we're gonna take together. It's divided into two parts phase one phase two I'm gonna walk through phase one first obviously phase two is gonna come a little bit later when I talk about How the so what of the program the yes, we did this thing So what that's gonna be phase two So who am I? My name is Chris Cottrell. I usually go by ice bear friends chances are if you see a picture of ice bear It could be me. There's a couple others out there, but ice bear friends usually where I go. I'm on Twitter get hub I have a few script kitty things on get hub and LinkedIn I'm open just hit me up. I have been in the red team offensive security field since 2012 Currently leading my own team right now. It's pretty fun. We kind of get nasty around then I I took my OSC P a few years ago past that fun fact about that test is I actually consumed over a gram of caffeine The whole time I was doing the test and writing the report That made me very sick later on and I hope I never have to do that test or anything like it ever again and I've also started to delve into the cloud security Components of everything mainly because me personally I see that I see a lot of security trends going that route and I Want to try to get ahead of that as much as I can not only to build my own it like automated red team infrastructure, but Just to pin test various things in the cloud pretty much if you learn one you can kind of understand the other three Are the big three? So with my company who focus on AWS, so that's where I'm starting. Hopefully I have my solutions arch architect soon Who is this talk for that is a great question? this talk is aimed at anybody that is trying to get into the red team field Anybody that runs a red team and is looking for friends or anybody that is looking to ox expand or Do anything out of the box for the red team? And I will get into like what the out of box aspects are for the gorilla portion but mainly it's it's for people that are Managers you're looking for somebody you're looking for friends. You're looking for more people on the red team People that are trying to get into the red team. You're looking for a way in you're you're in a company You're in a help desk or something and you're trying to break into the infosec field or maybe you're trying to get into the Off-sec component And you don't know where to start this is this is a program that's going to take you there So it's just some learning expectations. Like I mentioned, we're going to walk through two phases Phase one is going to be all about upscaling the assets phase two is going to be about unleashing those assets Together those things make up the gorilla red team. However This project first started Under the moniker of the red team development program That's originally what it was called. It was only one phase and it was red team deep like red team that program RGTV Why did I make this program first and foremost? Because this was me for about a year and a half just lonely isolated by myself Trying to make trying to make magic happen by doing ops. I was you know, our security team is pretty small So I was the red team component. I was set up my home program infrastructure all that stuff and it was lonely I Wouldn't I wasn't able to interface with a lot of the teams because they were the ones that I was testing so At its core the red team dev program was there because I was just lonely And I was either going to build friends or I was going to go find them So since I couldn't really become friends friends with a lot of people that I was testing I decided to just build my own and that's where the red team dev program came to place It turned into something else though and I'll get into that a little bit later on the talk but it turned into something magical in my opinion and not not magical for me but magical for the people involved and That's that is why I'm here at having this talk right now So at its core the red team dev program was going to be like it said away from me to make friends and It was almost like a pyramid scheme. I was going to be the red team was going to be at the top and Me and my partner that are that are on the red team We were going to be at the top and we were going to have all these little You know people that we could talk to and get ideas from and help with idea generation Campaign generation if we needed assets to test a certain component of the business We would have those assets kind of spread throughout the the organization. So Not really a pyramid scheme, but Kind of took on a similar aspect of it So I came up with this idea We were going to post on our cyber security channel on our slack that we were running this like red team dev program there's a pilot program and I only posted it in one channel and I posted it once and I told everybody Yeah, they fill out this form that had an open-ended question on it they only question from the form was tell me about something cool and if the results that we got from that question were super varied and From those varied results. It was very obvious Who is ready for the program and who was not and we got over a dozen applications And I would say over half of those didn't even come from this channel So there was definitely some word of mouth that happened with it So when you click that link it led to this form right and just like the form I had mentioned I was trying to dress it up a little bit make people excited and It had that one question just tell me something cool From that question we were able to take Five applications we accepted five people with one alternate in case somebody wasn't there. I Created these templates for their managers And I would go through and I would say hey Like so-and-so was accepted to the program We need you to give them like we were requesting up to four hours of their work day per week To take part in this program. Are you okay with that? If not, then Like let me know what you are okay What you are okay with and I made this like a sales pitch and everything to go with this they kind of get an idea of what the program was and If their manager is accepted then I would send this to them and say hey guess what you're part of that cohort I need you to fill out this pre-fire checklist. I'll get into that in a second and also like we're gonna provide you with some swag and My thought process on this was I wanted people to join the Red Team Dev program because they wanted to be there And I wanted them to be excited to be there because if they're excited They're gonna really put a fourth lot of effort and what that turns into is I get a lot of really good assets later on right so the way that we did this was We paid for a hack-the-box VIP subscription for the duration of the program We paid for three books that they could have and they could kind of follow along with some like extended learning and This came like directly out of the cyber securities buddies So all they had to do was show up and we would pay for everything else and I walked them through like how to do this How to submit expense reports for everything. I'm sure it could be streamlined, but that's for the next step And I also let them take a look at the sales pitch that I sent to the manager And because I like to make it fun and exciting I went with a Pokemon theme. These are laptops stickers that we have This was apps all cool apps all cohort for Q2 2020 The idea behind this is every cohort would you know every quarter every half They would get their own Pokemon and if you do well in the cohort would get to stay on as a fellow and The longer you stayed in you got to collect them all so you like you could collect all the Pokemon. I Thought it was fun So now that I got some branding attached to it We're gonna go through and we're gonna say I Need you felt this prefat checklist This is an example of it, but really like here's the meat potatoes. This is how the students answered this question and It seems like it Most of the people came from the help desk field in this cohort There was a couple that came from other technical disciplines, but a bulk of them came from help desk And the comfort was kind of all over the place of what you would expect One person said that they knew how to do an SMB relay, but most of the time I try to gauge How they thought they were at like what their technical skills were so for like example windows networking I mean to me watching YouTube is a good way to get started. You at least know what you're trying to watch But if you can mount a file shared Maybe understand us and be a little bit more Same thing with Linux seems like quite a few people knew what SSH was couple of them knew what how do you use SSH keys Or at least understood what that meant and just general ideas of like what the people wanted to get out of this For the bulk of it it was everybody just wanted to learn about right teaming a couple people Wanted to take it just that further and say like I wanted to listen to a career I made it very clear that this was not what the program was but that's fine and I Wanted to teach these students. I wanted to teach them how to fish not necessarily how to be an operator But how to get to a point where they know, okay, I have x problem in front of me I'm going to go with y solution Whereas at the start of this program, they may not even know what x problem was or even how to search for y solution the program here was To help with them to get to a point where they could ask that question and start doing research on their own So like I mentioned we primarily use hack the box for a lot of the practical application portions And we did that by you know providing a VIP subscription The reason we went in VIP is because some of the lessons that were being taught we needed the actual walkthroughs And if you have a VIP subscription you can you know you can download the walkthroughs for retired machines So it wasn't so much about you know getting points and everything But it was about learning and the best way to do that is just to say try it for a few days And if you can't figure it out Let's talk about it and then if you still can't figure it out Just download the walkthrough because I at least want to incorporate some sort of learning I want to push the whole cohort forward at the same time not just like one person onesy-two z's These are the three books that we picked It's like caveat warning. My name is actually on in the one on the left I knew what was in the book and because I helped do some Technical review for it, and I knew that it would be a good resource to have for students later on Waging cyber war was there to kind of expose the students to what? Not just a red team is but how do you take a red team to the next level of like for real? Not just exercise as in board gaming and then the red team development and operations book that joe veston james Humberville released just this year, which is super awesome If you are a red team manager, I highly suggest you read the first half of that book If you're a red team operator, I highly suggest you read the second half of that book If you just want to read the whole thing go for it because it's awesome all the way around So phase one red team dev program started so I had selected all the applications We selected our five people for our cohort We got buy-in from their managers to come in for four hours a week on fridays the whole cohort met together And we would start going to town so I made this syllabus for the program and It was broken up into two parts there was the We're going to learn how to do this phase, which was the first five weeks And then there was the live ops phase, which is the second the like the last four weeks First five weeks are all going to be broken down into things like here's windows. Here's linux Here's how you windows privaskers. I do linux privaskers. I do password cracking and We would meet once a week to discuss those things and go over, you know learning and everything that we needed And just trying to impart as much knowledge as we could so that they could go out and try to research this Um There was also a We incorporated in addition to the books we did The podcast dark net diaries. I tried to sync up Whatever the lessons that we were trying to teach that week I tried to sync up a podcast with dark net diaries for that and Sometimes they matched up very very well. Sometimes it was just more of a hey listen to this episode because it's really good So this is just a quick breakdown of the syllabus, right? We've won intro introduction red teaming We do legacy We too lame Week three was all about password cracking week four windows privask linux privask live ops Yep, so week one is intro to red teaming this week focused heavily on talking about what op notes were and How to take them correctly And the reason I heart on this was because for me the op notes are the deliverable that were required every week And if I can't read them and if I can't figure out the narrative that the that the operator is trying to do Then it's essentially useless because I need to be able to take those op notes Look at their op notes and do replay the op and do exactly the same thing that they did without ever talking to them So this was a constant theme throughout The cohort was off notes off notes It needs to be in a certain narrative. It needs to have certain types of information If I want raw logs, I'll go pull the raw logs myself, but I don't want raw logs I want to know what you did. So we talked a lot about op notes Um, fortunately most people had an understanding of what metasploit was and knew how to use it So we could just skip kind of straight to You know doing this first uh This first box, which is legacy I paired that up with the dark net diaries episode 57 over msa 08067 And this was just a quick win. This was like Let's see what your op notes look like. Let's see how you think Let's get an idea of what being on target looks like Uh, all the students completed this So here's the episode talked about it, you know net net fbi Here's the box. It was an easy box Yeah, almost every box is almost all the boxes in this program are easy and that's not Like some are definitely easier than others In the easy category um But keep in mind this is like we were just trying to do learning it wasn't We're not trying to be super we were trying to get these people to a certain level so that they can do things on their own Uh, for this one, it was super easy cbe. I think everybody got it pretty quickly Week two was the other os. I started talking about linux here And I paired that with uh, just a podcast where you could get an idea of what some professional penetration testers would do um lame was the box that we chose and at this point I started Trying to profile and categorize everything so that the students were so lost all the time Um, so there's the linux os. I thought you probably have to use in map of metaspoly And if you know they completed it and I was like here's another box you can try it, but like nobody did it So I as I built the syllabus. I was definitely overzealous in trying to make things um I could have focused on you know Providing more learning links and less on hey if you actually complete this once you try this super hard box Just visiting physical penetration test lame again pretty easy box, uh Most of the ones that I chose are pretty cbe heavy And I everybody completed this we still were kind of harping on op notes a little bit Some people were doing very well. Some people still needed some course corrections Uh, it was super interesting to see this like template that I made and I tried to show everybody Like some students would go one way with it and some would go completely another way with how they structured their op notes They were still giving me the information I wanted But it made sense to them from their perspective and it was really interesting to see How they how they chose to start capturing all this information and how their brains Started making sense of everything. They were trying to make sense of it themselves But they were also trying to make sure that I I was happy with them Week three, I decided hey, let's do password cracking in because Going to get on a box you're going to like they're not all going to be net apis or immediately get system so You're probably gonna have to like crack some cards at me now then and This this week is where things started to get interesting. So Those the learning links at the bottom those were not there when I originally made the syllabus As the week went on and people I started talking to everybody throughout the week, uh, because You know, yeah, they would they we were me on fridays, but we would also like talk throughout the week as well um People were running into some issues and I had to go through and research and in my coat and my uh red team buddy Steve he went through there and he like we put all these learning links in there And like as you see at the bottom, there's a Kerberos primer, right? That's my fault. But that's my fault that I chose this box I was looking for password cracking But I had taken these people that were in help desk and I had thrown them into a Kerberos situation Now luckily for me they All kind of did what they needed to do and they talked to each other which is great because part of the cohort was Forming an internal mesh network of trusted ethical hackers not just for me But for them too because it was for me for the assets for them You may not always want to go to the instructor and say hey, how do I do this for the fifth time? Maybe you want to go to your buddy because you're going to be judged a little bit less for that So if I could build that trust into the cohort That's amazing and that's exactly what happened this week Because they all talked to each other and throughout the week This portion of the syllabus changed and you had those learning links get added in You had Kerberos promise, you know popped in I think by like Wednesday a couple people had downloaded the Walkthrough and at least like said I'm going to get some learning out of this even if I don't understand it But at the end of the week everybody did in fact Pulling the box. So there's rock you. I got some this is a podcast I chose for this week and There was actually I got a lot of really good feedback on that one. So thank you darknut iris for having a podcast on rock you um Because they said it helped a lot with like how they were going to attack the box Again, activism when we chose there was a cve, but then you know, there's some other things you had to do I'm not going to spoil it for everybody week four We just get worse and worse, right? I chose all these boxes and I was like this is going to be great They're going to figure out things pretty quickly. That didn't happen more to learning links had to get added in And this was just a conservative constant like iterative process between myself and the students and my buddy steve Um, how are you doing? How's everything going? Okay, so there's going to be some issues here Let's go ahead and drop a learning link in Uh, maybe it'll kind of helps to be things along Had to do some living off the land stuff again This week was a little bit interesting mainly because There were some crazy stuff that happened with this box And The constant feedback and connection that we had with the With the cohort was critical from this point forward this point forward people were starting to get a little Upset not I'm not upset, but just like frustrated, right? You're not supposed to be frustrated when you're trying to learn stuff and they're being frustrated for the wrong reasons They weren't being frustrated because they were being oh, this is challenging They were being frustrated for something that they had no control over this gap in knowledge that I didn't prepare them for So by having that constant feedback And talking to them throughout the week, we were able to kind of overcome some things It was a little rough at first. I mean, this is a pilot program, but Uh, the next one will be more streamlined Um, and because this was a windows prevask lesson I picked shamun Um Pretty famous attack There's a buddy optimum Some cvs, you know in with this but what what happened after Optimum was complete for that week and we started talking about week five You know like we would show up week four We show up, you know fridays for a four-hour block. I started doing op notes And then I started trying to Talk about what was going to happen for the next week What happened was this I got a slack message from one of the students And After our lessons had ended all the students met together and they started talking about feedback and how things could be improved Now I could have taken this one or two ways and I'm not trying to like, you know Have an ego about it or anything, but I could have been really offended by it, but because I was starting to see that the students really really cared about the program Even though that they were frustrated They really cared about it and Basically this feedback was saying like we need help. We need help. We need we need some better walkthroughs We need more direction We need you to do a better job and they weren't saying it in a way that was You suck it was We want to make the program better and I heard them and as a result of that I decided to implement something else. I was doing it live I was going to do what I call a sherpa hop right now a sherpa hop Like I got the term from destiny because you have somebody that would that's really skilled and doing a raid or something and they would take I don't know Five other people through and they would just kind of guide them Right people that didn't know know what they were doing They were just going to guide them through so I was like, how can I do that for red teaming? So I came up with this term called sherpa ops and that's what we did So at the start of week five, I was like guess what guys All of us get on target because this is what we're doing. I have not done this box. I will not do this box We are going to work together all five of us myself included as the as the sherpa and we are going to go through this host and together And I'm going to try to guide you through without ever touching the keyboard And I had done no research on this. I just saw it was super easy and have like a Complete total amount of like user and root owned. So I figured it was probably good to go I didn't know what we were going to do with it. I didn't know how successful was all I knew was that it was a Super easy windows box And at the end of one hour after we had started everybody in the group had owned that box And it was pretty awesome because I was making then I was asking them questions and sparking them ideas that they'd scan something I'd say like Okay, tell me about this. Tell me about this. Tell me about this. They would scan They would come up with their own ideas. They would give me feedback and I'd say, okay, that's great Uh, I need I need the information about this. How would you go find it? and Just constant back and forth like it's it was almost like doing an escape room Me like everybody gets their one hero moment and an escape room that was pretty much the case for this Everybody got their hero moment where they found like one piece of the puzzle and it was really awesome to help guide them through and it was just It was a good experience because of what came after like it was good to do the sherpa up But afterwards when I was doing a feedback session on it. I was like, what would you guys think? You know, what do you think of the program even you know, because this is week five right now And the feedback that I got is what made me decide to write a white paper about this program. Um I had they they reported that their Co-workers and colleagues were asking when they get a product for the program because they saw What the you know, the gorillas were doing They's tried to find that the students tried to find other similar programs at other places. They found nothing Um, I know that like offset has their academy now, but hey, I was there first um But this was if this was like a straight-up grassroots campaign to bring people into the field and it started out as a way for the red team to get like trusted assets throughout the organization to help fuel ops But from this point forward it turned into something else it turned into This was more important to the students than it than it was for me And this was giving them an opportunity to learn some skills to talk with a red team dude To ask questions in a non-judge in like non-judgmental environment um To marinate on some of the lessons that were being learned to struggle and grow together as a group instead of just like one-on-one mentorship And I was like, I gotta write this up. Um, and I did so the white paper is being released today. So thank you so very much But after that I was like, you know what? Let's let's do week five. Let's go and originally the box that I picked was calamity And I did that I I picked calamity like the very beginning not knowing what that was And a couple days into that I was like y'all need to stop doing that immediately and go do this other box instead um, which it was traced back and I mean some of the like linux learning links that would be placed on there still applied but Like I kind of led them into the slaughter on that one. So um, and at this point, I mean kind of run out of like co Darknet diaries episodes that like perfectly lined up with with what we needed at the time. So I was like, okay just listen to these mini stories, I guess but Traceback was a lot of fun. Everybody in the cohort pwned it. Um, this was actually supposed to be the first box of the live ops, right live ops was a shift in mentality whereas the first five weeks were Work together to succeed together Uh, learn how to do these things keep doing your off notes Keep learning about windows linux. Keep learning about all the offensive tools that are out there Keep challenging yourself come to me with questions come to your cohort with questions Just don't stop. Don't if you hit a roadblock Don't just sit there at the roadblock like figure it out And if all of us fails like, you know part of figuring out that roadblock is downloading the The walkthrough from hack the box, which is why we bought the vip subscriptions in the first place Week six through nine well now week five because of calamity Um, that was all about like I bolded right there work together succeed individually. This is the struggle phase This is the break me off phase. This is going to be the phase where people Got to see what it was like Just a little taste of being dropped into a live network and you can't just download the walkthrough It's going to like they were going to have to struggle. They're going to have to Figure things out on their own and it's going to suck Some of these some of the students did very very well And I'll give you a slight spoiler alert I didn't intend to steal people from or organizations, but one of these students is now on the red team Because of some the aptitude that they showed In some of them, you know, it's to be expected They hadn't seen these things before and they struggled because there were knowledge gaps like If you asked me to go do quantum theory, I'm not going to know what I'm gacking youtube some stuff But I'm not going to be able to talk to you because there's this huge golf of knowledge that I can't overcome it's the same thing for some of these students and You have to recognize when those golfs hit Okay, time to take a step back and that happened during the last weeks of the live ops I had to redirect one of the students to do something So the way that we had set it up was you have to do two easy machines You have to do one of the easy machines before you can move on to the hard ones Or to the medium ones for this was trace back and remote and because we were doing trace back instead of calamity They already kind of got like a head start Remote was pretty fun All the students poem that one There is a cv attached to it and then you know the actual like prevess portion was pretty interesting A lot of research went into the students Once you and some of these things aged off And the reason I chose all the live boxes Like I said, just so that they could get a taste of what you know It feels like to be in a network and not having any hope or And To get some points to go along with it because if you can get some real points You can go back and say like hey, I'm not scripted anymore or like I am not new But anyway, so I was trying to gamify it as much as I could and get some points So for the media for the medium boxes we chose sauna and serf mon Serf mon was pretty fun But it was a kind of unstable and I felt like I had to warn people about that because You don't know what you don't know at that point. Some of these people are pretty new They may think that they're doing the right thing And the boxes it wasn't working So I kind of wanted I I did a little pathfinder thing and went through and just Blasted through like every easy and medium box that I could so that I could Kind of guide them and say like hey by the way on this one serf mon It's going to be a little bit kind of a pain in the butt The person that was on the run that got chosen to come up to the red team Completed both of these boxes Almost everybody completed at least one of these and one student did not complete either So that student was pushed to a similar type box But that had a walkthrough instead and that didn't really happen until about week eight or nine So from this point on like the cadence for During the live op sections went from hey, these are learning links to let's talk about what challenges you're running into Let me see your off notes. Even if they're not finished like upload and let me look at them Let's take a look at these things Um, so it turned it more to like a red team discussion and not so much as a lecture during the second half Nobody made it to any of these so I don't even know if we'll have the challenge boxes in during the next iteration But at the end of nine weeks, this is One of the op notes from one of the boxes. I forget which one it was We went from somebody that had never done red teaming before never done anything closely related to it And at the end of nine weeks, they were producing op notes like this And this is not the person that was chosen to be on the red team. This is from one of the other operators Um, I was able to you're like just from this small snippet. You're able to tell Hey, like I don't understand what the narrative is. I understand what they tried I understand what they were thinking and most of the op notes looked like this by the end of nine weeks And this was a huge pain point that I kept harping on and I that was constant every week Let me see your off notes off notes off notes But they can take like these students can take this this methodology with them And I mean I even made it like a op note template generator for them But the methodology here is it is now they are in their brain if they do off So they do hack a box. They're going to be they're going to have their op notes up if they Try to do scp. They're going to be taking off notes now They will understand where they've been what they're trying to do And maybe if they're stuck on something they go back they read their own narrative They say, oh, yeah, I should try that and to me that was the most critical part of this for for teaching these junior operatives go real operators how to fish So at the end of the nine weeks the cohort was over I sent out the same exact questions that I had at the start of the At the start of the cohort just to see where they thought they were So on the left is the pre flight survey that I had and then on the left is the exit survey So it looks like Pretty good increase with windows networking Great increase Actually with the windows networking a lot of people really understood us and be a lot more Similar situations with the linux stuff Pretty big increases with comfort the linux operating system Comfort with linux networking It was pretty good And then just like what they thought that what what they wanted to get out of the out of the experience on the left And then what they kind of felt like they did get out of the experience on the right A lot of I mean it was pretty windows heavy. So there's a lot of that's probably why like Majority of the windows stuff went up But on the right you're going to see a lot of people talk talk about how they The methodologies the the recon Like the second comment they're putting theoretical knowledge like in the test and then applying it How to research things like that. These are these are all the the core things that I was trying to do And at the start of my pre flight survey at the beginning of the thing or I'm sorry on my On my application process. I said what this is it's a chance to hang out with a red teamer and talk shop What this isn't is an internship. So These this feedback is actually exactly what I was looking for and it could be streamlined a little bit better 100 I'm sure there's other people that if you take this program and you do it You're going to do it better than I will and that's awesome Please publish that but really it's all about just like upskilling people And you have if you have its upskilled assets throughout their organization You have your security IQ is also raised as well So not it doesn't just benefit you it benefits the whole business And I just wanted to put this in here because I'm about to show all these nubes I wanted to show that all six of them have said that yes, I can use their picture So this is the absolute cohort right here and the biggest new was up there in the top right I was with these this group for Nine weeks. We still talk and just forward all the time still talk shop Even though that the cohort has been over for about a month and a half now It was great. It was an awesome opportunity and I feel like some of these people are going to Go forward and probably become infosec professionals Some of these people may choose to go a different route, but they're always going to have that security mindset Right, they got to see what an attacker looks like because they were one at some point But wait, there's more because I said that there were two phases to this So phase two is the gorilla red team aspect phase two Came to me when I was actually writing up the paper for phase one, right I was writing up this paper. Like I said, the original intent was we're going to upskill people Security IQ assets are going to be great. It's going to be awesome. But I was writing up the paper. I was like We have these low tier trained trusted adversaries in our network now And at the same time, we also have these tools that we spend a lot of money on that say Oh, yeah, like we're going to go after the advanced adversary It's going to protect you from the advanced adversary because all these low tier script kitties are just going to get blasted straight out of the window By all these other tools and you're protected. So I was thinking You know, like let's test that let's test that because I just spent nine weeks training these people and at their core Like they're low tier actors, right? There's the script kitties. They're and more than that. They're trusted script kitties And I know that if I give them something to do They're going to execute on it. They're going to take notes on it. I'll be able to de-conflict with them I was like, man, let's try it. Like this the idea made so much sense to me I was like, we just train these people. Let's let's use them. Let's That's where the two phases came in. We upskill the assets and now we're going to unleash hell on them So I had to come up with this way to sell it because I had to sell out everybody had to figure out How are we going to? Decentralize these adversaries How are we going to arm these gorillas if I if I if I if the red team is the green berets and These people that we just spent nine weeks training are the local indigenous population that now know how to shoot a gun How do I get them a gun? How do I get them a target to attack? That was my problem to figure out and I was like, I gotta I get to figure this out right now And I gotta incorporate this into my paper So Here's the gorilla red team right here. This is what it is that it's core And just like I talked about like you have all these Uh edr platforms and say, oh, we'll protect you from all this stuff advanced sandboxing Uh edr is essential You have like this edr maturity model, you know, like like you have we have ai built in and stuff. Okay We'll see if you can kick off some low tier actors So this is the flow chart that I came up with this and I'm going to walk through it real quick Right. This is the gorilla red team phase two flow chart And before I really get into it, I just want to just kind of walk through just a brief How how a gorilla red team works, right? You train up you up skill the gorillas, right? That's the red team death program. That's phase one Phase two is the red team retains control of these assets But to arm them, what does that mean exactly your arming means? You have to provide them with a way to attack right So that means you have to provide them with a platform to attack from And you have to provide them with the ammunition to attack with Translate that into cyber is Basically, you have to provide them an ops box to shoot from And you have to give them credentials to shoot with because they may not like they may not Be able to pop a box but They can probably exploit a box with credentials So now at this point Like what are those credentials look like? Okay, those will probably be basically canary credentials We have to form I'm going to have to form some partnership with helpdesk now Some like high-level partnership with these stakeholders so that we can get these Certain credentials that are inactive To be used during the op By the way, what does that look like? Let's do let's keep the same case four hours Do four hours once a month per guerrilla operator? Okay, so so for four hours once a month Instead of doing hack the box. They're going to do hacker network And the red team is going to have to figure out a way to maintain control of that So let's let's walk through how this is So I call it an arms delivery, right? Does the guerrilla operator have an arms delivery if the answer is no they go to the space? So they're going to submit something that they want Uh an op plan, which is like this is a singular target that will you want to attack? The red team is going to conduct safety checks on it to see, you know Make sure you're not like trying to pop the CEO's box or something or you're going to take sound some super critical production asset They are not there to say yes or no To what the target is they the red team is there to Say yes or no. This is safe They're not a while the red team is not allowed to say yes or no to what the target is because we're decentralizing the adversary the red team might not see this particular target as worthwhile But this guerrilla might So if you're going to put all your u dr platforms on something that doesn't seem Or if you're going to put your u dr platforms on something on all all your crown jewels But you leave this other thing over here just open. Maybe the guerrilla goes after that instead because they just want to Right, so that's part of the decentralization or decentralized process. Anyway, if it gets approved, uh, we go into the arming phase Right now the red team will request accounts From the help desk or whoever it is If they get approved, they will be held in trust from like for our example. We're going to hold them in on Last pass Right, but they'll be inactive. So you have like 10 accounts with varying sets of permissions Inactive ready to go right and that requires your relationship So if you're on a red team and you want to do this you better start learning how to talk to people because you should be doing that anyway, but You're going to have to build a relationship and sell this thing Um, anyway, so your credentials you're going to you're going to build your target package So what does that look like that's credentials you siphon off one of the credentials You build them in the ec2 instance that has a public ip or that is peered internally Uh, you generate some ssh keys just for them You push your creds and you're at the keys to s3 It's locked down the attack host is like sitting there waiting to go All that is required now Is for them to schedule their out for their four hours So at this point they've submitted something they want to attack and that can come from like the red team can provide that list And say pick one of these 10 things Uh, because they're the most vulnerable like if you have like a vulnerability management platform and you can pull that list You can get an idea of whether or not it's going to be super hard or not and you can just kind of farm this out to the grill list um But you you provide like okay, here's what you're going to attack. Here's the cred you're going to use to attack it with um And here's your secure like here's your security mechanisms to get on this host So now you need to schedule an arms delivery Which you have done so now we go to the second phase of the flow chart. So yes, the arms delivery is scheduled Now the day of the off when it's scheduled The gorilla is going to give you an IP address And you as the red team are going to have to submit this IP address for whitelisting Uh, you as the red team are going to have to notify help desk to make the account active And these like there are automation steps in here all over the place, of course The more that you can automate this with lambda or whatever the better um But you know what you're going to notify help desk Hey, I need you to make this account active in an hour 30 minutes or something they make it active And then you go to ec2 whitelist that ip in the security groups Do you go to s3? You can either figure out a way to whitelist the ip and s3 or generate a presigned url and just like give that to the gorilla So that they can pull down their target package and you know, maybe the maybe that Presigned url only lasts four hours. Okay, which is what we said we're going to do anyway So you give it to them you say hey man at 10 o'clock Uh, I need you to like pull down this and and get ready to go. It's going to have your ssh keys to get into your ops box Here's your target Have fun So they download the target package from s3. They connect to the host They conduct their op for four hours They're probably going to make a full hell of a lot of noise We're going to set off a lot of alarms and then at the end of four hours automation kicks in security group blacklist or uh, not blacklist, uh, but Their their whitelist ip gets removed from the security group and they lose access to the box And the op is over Now even if they weren't successful Even if they the creds Worked and but they couldn't get on anything at all Some random box In the network just got hit With some random account And maybe the map maybe the edr caught the malware that they were trying to put on maybe they didn't Maybe they just got on the box and and like did a bunch of surveys or something Um, by the way, like also the red team would put similar to hack the box. We would put user dot text and root dot text on the box as well to kind of Simulate sentinel data being stolen. Um, it still gamifies that a little bit So if they were able to get their user dot text and their root dot text But even if none of that happened and they just set off a whole hell of a lot of alerts Think about that some random box that was just attacked By some random blue tier person that's just making all kinds of noise What's the blue team going to do with that, right? Are they going to treat it like a real one because that doesn't really fit the ttps of the red team Which is typically stealthy. This is noisy. This is nasty So it's a good training opportunity for everybody really The gorillas get it, you know, they get to sweat a little bit by like trying not to kick over a production box The blue team gets to do some deconfliction and if the edr doesn't pick up anything um Well, then you need to reevaluate your your edr because some low tier people just like kick down the front door and Like that's a problem and you should know that From a trusted source and not like getting ransomware in your entire network But anyway, so after the op is over the gorilla estimates the notes of the red team We debrief the gorilla and we store the op notes for deconfliction I have a whole deconfliction process set up and at my red team And we just kind of wait for those things to come in and then here's here's the fun part Once that is done The ops platform doesn't always have to be a cali box. It could be a windows box. It could be anything Right, but once it's done You power off the uc2 and you take the the You take the hard disk and you image it, right? um And what you do with that is you give it to the blue team And it's up to the blue team to decide whether or not they want to do forensics training on it They can do response training as the gorilla is banging around on the network But if they want to do forensics training, they have this image of a low tier actor with all their tools and stuff on there And i'm sure there's I had thoughts of like maybe putting all kinds of logging and everything turned on in the ops box So that they could go find those And then the blue team would have to go make the Compromise account active and if they don't do it within a certain amount of time then The red team has that relationship with help desk already built in But really This whole process Accomplishes so many things right And when I talk about decentralized in the adversary, here's what it accomplishes. It doesn't mean didn't decentralized In in the physical sense Like just because your operator is in arizona and they're attacking something in new york Yes, that is one type of decentralization, but you're decentralizing ttps You're decentralizing target selection. You are decentralizing all sorts of things And you're doing that by giving it to somebody that maybe writes their op notes a little bit differently You tell them one thing but their brain interprets interprets it as something else and they make their own set of op notes Not in any way that you had ever thought to even make them People think differently and at the end of the day, it is a person that's behind the keyboard. So If you can get as many variables into your network as possible in a controlled manner That's just going to make your security program even stronger And at the end of the day, you might also like spin up some red teamers in the process And they're going to come to you or they're going to Bring new life into the community And I'll tell you the only thing that this program really cost to do was time It didn't cost thousands of dollars to do this. It cost my time and it cost the time of the people that were in the program So what's next well, unfortunately I couldn't I couldn't actually talk about the gorilla ops that we are doing currently because they're still in progress And I wanted to have a little bit more data to say yes Like these work or no, they don't work or we had to change these aspects Maybe that'll be either 2021 talk like gorilla or a team year two. I don't know But what's next is we're going to continue to try to automate a lot of the build-out process for arming the gorillas Trying to maybe automate some of the target generation Just more the processes of like What we do with the platform how we get things to the gorillas You like that's what we're going to try to do is is just keep testing it, you know gather in metrics and stuff all that boring Red team manager stuff. Um So that we can see how much of a business impact actually did have but at the end of the day For the for the capital investment that was required for this I imagine it's probably going to have significant return on investment because I mean it didn't cost anything it cost like less than a hundred dollars per person for nine weeks So I want to give a couple shout outs of that that pretty much is the end of my talk. Um Remember phase one was the right team dev program. You upskilled the assets phase two Is in progress the grill of red team you let them lose some of the network to You know decentralize as much of that thought and brain powers you can uh shout outs I want to thank cyber area for giving me a platform to write my paper and to work with me on everything um I had never done a white paper before and they were awesome to work with so If you have anything that you want to talk about they really help you out Getting your thoughts on paper and editing and and everything else I don't want to thank mr. Elmar also for letting me slide into his dms and like the last minute to get this talk approved Because as I was writing it up I was like I really really really want to talk about this squirrel aspect Because I I think it could change how A red team arms itself you have your professionals And then you have these just low tier assets that you've trained and they're supposed to be low tier Like low tier ain't so bad. Like I said earlier It's low tier is good if you have the right controls in place. So thank you all more for letting me in I want to thank the absol cohort for sticking with me through this pilot process I uh Definitely should have streamlined it a little bit better, but because of your feedback. I've I think I've been able to make it a better Better place for the next cohort And all of them have said that they wanted to stay on as fellows So we're gonna continue to talk and I look forward to seeing how they grow I want to thank hack the box for having a platform in which we could host a training platform on our own ad hoc And I want to thank dark net diaries for being like one of the only hacking podcasts that I could find And that was actually it's actually good. It's not just good because it's the like one of the only ones It's good because it's good. So thank you for that So thank you for walking through this whole process with me. It's been a lot phase one phase two a lot of talk It's all about how to you know upscale and unleash assets And that is the gorilla red team. So if you have any questions Please feel free to reach out to me on twitter Like then I think I'll be in discord for a little bit to do some q&a on this if anybody has any questions But really take this and run with it I have an op note generator if you want to steal it on my github Uses pie charm. I don't I'm sorry uses Sublime and json file and you just all you gotta use is plug a couple things in and it Perhaps I like really good op note template for you mix a bunch of folders and stuff So it's easy to categorize but other than that just please feel free to reach out and and I hope That somebody takes us and just like makes it awesome even more so than I made it awesome But I really would like to see it spread because Getting people into the field outside of the federal pipeline is hard And if we could do this at the grassroots level not only does the red team win But the people win which is what's important And if the you know, like the people win the business wins too Like I have to say that but the people win the most and that's what it's all about. So thank you My name is chris and take care